Navigation

This article explains the new features in Pyramid version 1.7 as
compared to its predecessor, Pyramid 1.6. It also documents backwards
incompatibilities between the two versions and deprecations added to
Pyramid 1.7, as well as software dependency changes and notable
documentation additions.

If you are not currently specifying the hashalg option in your apps, then
this change means any existing auth tickets (and associated cookies) will no
longer be valid, users will be logged out, and have to login to their
accounts again.

A new View Derivers concept has been added to Pyramid to allow
framework authors to inject elements into the standard Pyramid view pipeline
and affect all views in an application. This is similar to a decorator except
that it has access to options passed to config.add_view and can affect
other stages of the pipeline such as the raw response from a view or prior
to security checks. See https://github.com/Pylons/pyramid/pull/2021

Added an additional CSRF validation that checks the origin/referrer of a
request and makes sure it matches the current request.domain. This
particular check is only active when accessing a site over HTTPS as otherwise
browsers don't always send the required information. If this additional CSRF
validation fails a BadCSRFOrigin exception will be raised and may be
caught by exception views (the default response is 400BadRequest).
Additional allowed origins may be configured by setting
pyramid.csrf_trusted_origins to a list of domain names (with ports if on
a non standard port) to allow. Subdomains are not allowed unless the domain
name has been prefixed with a .. See
https://github.com/Pylons/pyramid/pull/2501

New SQLAlchemy session management without any global DBSession. Replaced
by a per-request request.dbsession property.

A new authentication chapter demonstrating how to get simple authentication
bootstrapped quickly in an application.

Authorization was overhauled to show the use of per-route context factories
which demonstrate object-level authorization on top of simple group-level
authorization. Did you want to restrict page edits to only the owner but
couldn't figure it out before? Here you go!

The users and groups are stored in the database now instead of within
tutorial-specific global variables.